CVE-2025-3515
published 2025-06-17CVE-2025-3515: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.09%
91.3th percentile
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codedropz | drag_and_drop_multiple_file_upload_contact_form_7 | < 1.3.9.0 | 1.3.9.0 |
| glenwpcoder | drag_and_drop_multiple_file_upload_for_contact_form_7 | <= 1.3.8.9 | — |
| msrc | cbl2_gnupg2_2.4.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_gnupg2_2.2.20-4_on_cbl_mariner_1.0 | — | — |
| msrc | cm1_libksba_1.3.5-5_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated POST requests to /wp-admin/admin-ajax.php with action=dnd_codedropz_upload and a multipart upload containing a .phar file (Content-Type: image/png spoofing). ↗
- →Monitor for files appearing under /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ with .phar or other non-image extensions, indicating a successful bypass of the plugin's blacklist. ↗
- →A JSON response containing '"success":true' from admin-ajax.php following a .phar upload attempt confirms successful exploitation. ↗
- →Check the plugin's readme.txt for a Stable tag of 1.3.8.9 or earlier to identify vulnerable installations. ↗
- →The multipart boundary ----WebKitFormBoundaryyvcxCgWuFH6hBJi4 is used in the PoC template; network signatures can key on this boundary combined with the dnd_codedropz_upload action. ↗
- →Attacker reconnaissance targets common contact page paths before uploading; watch for sequential GET requests to /contact/, /contact-us/, /submit/, /support/, /form/, /get-in-touch/ followed by a POST to admin-ajax.php. ↗
- →The HTML element 'wpcf7-drag-n-drop-file' in page source confirms the vulnerable plugin is active; attackers extract the data-name, data-id, and ajax_nonce values from it before launching the upload. ↗
- ·Remote code execution via uploaded .phar files is only possible on servers configured to execute .phar files as PHP scripts; default Apache+mod_php setups are specifically at risk. ↗
- ·The exploit requires a valid nonce (ajax_nonce) extracted from a page hosting the CF7 drag-and-drop form; the nonce is publicly accessible to unauthenticated users visiting the contact page. ↗
- ·The CVSS score of 8.1 reflects High attack complexity (AC:H), meaning exploitation is not trivially reliable across all configurations — the server must handle .phar as executable PHP. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-63j5-3fh3-7x8g: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type v
ghsa_unreviewed·2025-06-17
CVE-2025-3515 [HIGH] CWE-434 GHSA-63j5-3fh3-7x8g: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type v
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
VulnCheck
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
vulncheck·2025·CVSS 8.1
CVE-2025-3515 [HIGH] codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Affected: codedropz drag_and_drop_mult
Microsoft
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specia
vendor_msrc·2023-01-10·CVSS 9.8
CVE-2022-3515 [CRITICAL] CWE-190 A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specia
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application for example a malicious S/MIME attachment.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more i
No detection rules found.
Nuclei
Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2025-3515 [CRITICAL] Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Template:
id: CVE-2025-3515
info:
name: Contact Form 7 Drag and Drop Mul
No writeups or analysis indexed.
2025-06-17
Published
Exploited in the wild